Tracing ransom in a hostage situation

Huge cyberattack in 150 countries fills just three Bitcoin wallets

Animated map of attack from NYT https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html?smid=tw-share

A global ransomware cyber attack hit over 200.000 companies and government organizations in over 150 countries. This article is about the ransom money.

It’s ok that you drive away without paying for the car park.

The attack crippled UK hospitals, Japanese shops, ATM’s, Russian terminals and even the payment system of Dutch car parks. As a result of the ransomware, those who parked didn’t have to pay but most others had. As we speak, 190 organisations paid at least $300 each to get their files decrypted — and still counting. It will take days to establish the total amount of financial gain the criminal(s) made. On Sunday, the total profit was over $ 32.000. Monday was a top day: the total ransom grew to $ 54.000 (16:00 hrs).

Most hospitals or governments don’t have a Bitcoin account lying around and need 24–48 hours to grasp the concept of it. That’s another reason why it can takes days before people actually start to pay the ransom money. This weekend started slow with just 8.2052332 BTC paid on Sat May 13 10:07:14 EEST , roughly $15000.

But today, Sunday, it doubled and is $32000.

Live dropping of the ransom money. It started slow on Saturday, but has doubled on Sunday.

Monday, 20.00 hrs:

So how do you calculate the amount of ransom money during a hostage situation? How on earth is it possible to live-track the money that is handed over? This has all to do with how bitcoin works.

Yes, who is behind is the transaction is untraceable. But it is possible to find the secret drop off address that the criminals use, although they are clearly not at home. For that you need to know which what wallet you can pay with. Often, there are many wallets in ransomware situations to avoid detection.

As we speak, the hostage situation is still going on. The attacks have almost stopped, but part of the aftermath is that some institutions are still wondering: do we pay or not?

Strangely enough, in this worldwide attack, only three wallets are used, see also the excellent factsheet. How do you trace how much ransom money is collected right now? Click on each link.

Bitcoin ransom addresses

3 addresses hard coded into the malware.

• https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
• https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
• https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

You will see the number of transactions for each wallet and the amount of bitcoins that were handed over. Now it’s a question of simple math: add all transactions and you know how many institutions paid (over 100), add all the bitcoins together and you how much they paid (at least $300 each time) and the total (now over $32.0000).

The internet will do the math for you with this tracker.

actual ransom (@actual_ransom) | Twitter

Henk van Ess, @henkvaness is member of the investigation team of @bellingcat. If you quote from this article, please include the source.